FISMA Compliance

What is FISMA?

The E-Government Act (Public Law 107-347) passed by the 107th Congress and signed into law by the President in December 2002 recognized the importance of information security to the economic and national security interests of the United States. Title III of the E-Government Act, entitled the Federal Information Security Management Act (FISMA) requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.

FISMA requires objective assessments of the effectiveness of security controls on every information system operated by, or for, the Federal Government on an annual basis. FISMA requires both an internal evaluation and an independent assessment. As shown below, FISMA describes these security controls as control families. NIST SP 800-53 defines each of these families, as well as referencing additional NIST special publications that further describe execution of security activities for each family.

Demonstrate protection from attack. The SAINTexploit penetration testing tool provides a higher level of assurance of protection from attack.

SAINT provides a holistic approach to vulnerability assessment and risk management by combining detailed information about system vulnerabilities with potential outcomes (i.e., evidence) through penetration testing. Managers may choose to:

Run a scan using the custom FISMA vulnerability scan policy and display the results in a pre-formatted FISMA Vulnerability Assessment Report;
or

Run the FISMA vulnerability scan, then use the results to run a penetration test based on known exploits, and then report on the outcomes.

SAINT's customizable scan configuration and scheduling features, as well as built-in trend analysis tools, enable IA managers to automate the continuous monitoring process, evaluate policies and practices, and adjust activities over time, to support a policy of continuous improvement and reduced risk to critical infrastructure.

The following are all examples of SAINT's focus on support to evolving initiatives: